Showing papers on "Data Authentication Algorithm published in 2002"

The TESLA Broadcast Authentication Protocol

Abstract: One of the main challenges of securing broadcast communication is source authentication, or enabling receivers of broadcast data to verify that the received data really originates from the claimed source and was not modified en route. This problem is complicated by mutually untrusted receivers and unreliable communication environments where the sender does not retransmit lost packets. This article presents the TESLA (Timed Efficient Stream Loss-tolerant Authentication) broadcast authentication protocol, an efficient protocol with low communication and computation overhead, which scales to large numbers of receivers, and tolerates packet loss. TESLA is based on loose time synchronization between the sender and the receivers. Despite using purely symmetric cryptographic functions (MAC functions), TESLA achieves asymmetric properties. We discuss a PKI application based purely on TESLA, assuming that all network nodes are loosely time synchronized.

The Keyed-Hash Message Authentication Code (HMAC) | NIST

Abstract: This standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative FIPS-approved cryptographic hash function, in combination with a shared secret key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. The HMAC specification in this standard is a generalization of Internet RFC 2104, HMAC, Keyed-Hashing for Message Authentication, and ANSI X9.71, Keyed Hash Message Authentication Code.

Securing passwords against dictionary attacks

Abstract: The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks. Passwords remain the most widely used authentication method despite their well-known security weaknesses. User authentication is clearly a practical problem. From the perspective of a service provider this problem needs to be solved within real-world constraints such as the available hardware and software infrastructures. From a user's perspective user-friendliness is a key requirement.In this paper we suggest a novel authentication scheme that preserves the advantages of conventional password authentication, while simultaneously raising the costs of online dictionary attacks by orders of magnitude. The proposed scheme is easy to implement and overcomes some of the difficulties of previously suggested methods of improving the security of user authentication schemes.Our key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks. This is done without affecting the usability of the system. The proposed scheme also provides better protection against denial of service attacks against user accounts.

Deniable Ring Authentication

Abstract: Digital Signatures enable authenticating messages in a way that disallows repudiation. While non-repudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated - there is no 'paper trail' of the conversation, other than what could be produced by V alone, as in zero-knowledge.We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a public-key of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well.

Scheme for authentication and dynamic key exchange

Abstract: A scheme for authentication, dynamic key generation and exchange provides means for authentication of mobile nodes and networks, and for generation of per session, per node, security association and encryption keys for encrypting/decrypting communications between a mobile node and an access point in wireless local area networks The scheme utilizes the same infrastructure and authentication information for both data link layers (layer 2) and network layers (layer 3) This scheme is particularly applicable to networks adhering to the IEEE 802 LAN family of standards

Multi-domain authorization and authentication

Abstract: A method of multi-domain authorisation/authentication on a computer network comprises: a user making a request to a policy enforcement point of a computer for access to information on the computer; providing a location address for a user's authorisation and/or authentication information, a policy decision point of the service on the computer network then verifying the authorisation/authentication information; and the user being given access by the PEP to the information or the service requested, if the request is accepted, wherein the user's authorisation/authentication and/or further information is located on a meta policy decision point (MPDP).

Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)

Abstract: This memo specifies an Authentication and Key Agreement (AKA) based one-time password generation mechanism for Hypertext Transfer Protocol (HTTP) Digest access authentication. The HTTP Authentication Framework includes two authentication schemes: Basic and Digest. Both schemes employ a shared secret based mechanism for access authentication. The AKA mechanism performs user authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) networks. AKA is a challenge- response based mechanism that uses symmetric cryptography.

System and method for multi-party validation, authentication and/or authorization via biometrics

Abstract: A system and method for multi-party authentication is described. The multi-party authentication process uses synchronous and persistent biometrics signals received from parties to a transaction, based on a policy, to approve a transaction request. The biometrics signals preferably are expressed as compressed video signals having steganographically inserted challenge response data. Several business applications are described that are based on the multi-party authentication engine.

Device independent authentication system and method

Abstract: A system is disclosed which facilitates authentication processes with web-enabled wireless devices, including those that do not support the use of cookie files. To facilitate such authentication, a web server analyzes an HTTP request file from a communication device for the presence of security token data. Where none is found, a client is directed to a login page for input of authentication data, such as a user name and password information. Upon proper authentication, the client's communication device is issued a security token using standard HTML-INPUT tags. Thereafter, the web server determines if each additional HTTP request file received from the client includes a security token before responding to the request.

Cross platform network authentication and authorization model

Abstract: A model for authentication and authorization of users and applications that use network services. A client requests a ticket by providing credentials (user ID and password), e.g., over HTTP/SOAP/XML in the UDDI framework. An authentication adapter in a receiving server deserializes the request into a data structure that provides access to the security ID and password attributes, and passes these attributes to an ID management system to perform authentication. The credentials also determine the user's or application's privileges. The authentication adapter constructs a ticket object for the client incorporating the privileges and other information, e.g., the security ID and a date/time stamp. The ticket object is serialized, encrypted, encoded for transmission and inserted into an appropriately-formatted XML message and returned to the requesting client. The client attaches the authentication ticket to subsequent service requests that require authentication. To validate the ticket, the ticket object is reconstructed from the request data.

Methods and arrangements for protecting information in forwarded authentication messages

Abstract: Methods and arrangements are provided to selectively control access to the authentication information or portions thereof. The methods and arrangements are based on a scheme wherein the authentication information further includes specially encoded portions that can only be decoded by selected server-based services/processes. One method for use in protecting information in forwarded authentication messages includes encoding the selected data using an encryption key, then encoding the encryption key itself, using at least one other encryption key that only certain selected servers/services have access to, and then encapsulating the resulting encoded data and the encoded encryption key in an authentication message. This and other methods are particularly applicable to Kerberos and other like authentication arrangements.

Performance analysis of IPSec protocol: encryption and authentication

Abstract: IPSec provides two types of security algorithms, symmetric encryption algorithms (e.g. data encryption standard DES) for encryption, and one-way hash functions (e.g., message digest MD5 and secured hash algorithm SHA1) for authentication. This paper presents performance analysis and comparisons between these algorithms in terms of time complexity and space complexity. Parameters considered are processing power and input size. The analysis results revealed that HMAC-MD5 can be sufficient for the authentication purposes rather than using the more complicated HMAC-SHA1 algorithm. In encryption applications, authentication should be combined with DES.

Flexible authentication with multiple levels and factors

Abstract: An authentication system and method are provided that offer greater degree of flexibility in using authentication devices while maintaining a high level of security. Roughly three parts of organization are distinguished. At the first part, an arbiter defines a plurality of authentication levels. Each authentication level distinguishes one or more authentication factors. At the second part, an authorizer selects an access authentication level from the defined plurality of authentication levels. At the third part, it is requested from an authorizee to communicate via a portable authentication device the selected access authentication level in order for the authorizee to be authorized said access. Greater flexibility is provided to an authorizer in selecting an access authentication level within the definitions set by an arbiter. Greater flexibility is provided to an authorizee in allowing modifications to an authentication level and/or authentication factors within the definitions and/or rules set by the arbiter and authorizee.

Authentication processing system, authentication processing method, authentication device, and computer program

Abstract: An authentication device which the user wears reads biometrics information and executes individual authentication by verification Only when the individual authentication has been successfully performed, authentication with an external unit (such as a server) can be started Then, only when both of the individual authentication based on the biometrics information and the mutual authentication between the external unit (such as a server) and the authentication device have been successfully performed, subsequent data processing such as payment processing can be executed Therefore, even if a fraudulent third party uses a stolen authentication device, because the party cannot satisfy the start condition of authentication with the external server or a PC, fraudulent transactions and other illegitimate behaviors are effectively prevented

Credential authentication for mobile users

Abstract: Methods, systems, and computer program products for authenticating a mobile client that may have an input system optimized for numeric input. A mobile gateway receives authentication credentials from a mobile client and uses an authentication filter to map the authentication credentials according to pre-established criteria. The authentication filter may change the domain name, the username, or both. Then, the mapped authentication credentials are sent to a network that includes the content server being accessed. Any access privileges granted to the mobile client are based on the mapped authentication credentials. The mobile gateway may be configured to accept connections only from known servers. Mobile authentication credentials may be maintained in one or more domains, possibly having a trust relationship, or may be stored in a separately administered credential database.

Deniable authentication protocol based on Deffie-Hellman algorithm

Abstract: Deniable authentication is a new kind of authentication, by which means a receiver cannot prove the source of a message to a third party. A deniable authentication protocol, which is based on the Deffie-Hellman key exchange protocol, is presented. It does not require a trusted third party, and the protocol can resist person-in-the-middle attack.

Federated authentication service

Abstract: A federated authentication service technology (10) for authenticating a subject (20) residing in a subject domain (12) on a network to a server application (38) residing in a server domain (18), wherein an authentication mechanism (32) residing in an authentication domain (16) affects the service provided by the server application (38). A client (22), which may be integrated non-human instances of the subject (20), authenticates the subject (20) and a protocol proxy (34) mediates with the authentication mechanism (32) to obtain a name assertion which the client can use to access the server application (38). When multiple authentication mechanisms (32) are available, an optional agent (24), mechanism resolution process (26) and mechanism repository (28), all residing in an agent domain (14), may be used to resolve to one suitable authentication mechanism (32).

Biometric authentication of a client network connection

Abstract: A client is authenticated to a network resource wherein the client is coupled to a biometric sensor. The client signals a request to the network resource (e.g., by connecting to an access point). The network resource initiates a point-to-point LAN authentication protocol between the network resource and the client. The network resource requests biometric data from the client via the LAN authentication protocol (optionally either before or after authenticating with other credentials). The client captures biometric data of an attendant user of the client. The client transmits the captured biometric data to the network resource via the LAN authentication protocol. The network resource encapsulates the biometric data in the LAN authentication protocol into an authentication server protocol and forwards the encapsulated biometric data to an authentication server. The authentication server compares the biometric data to a biometric template stored in conjunction with the authentication server for making a determination whether the attendant user should be granted access to the network resource. The authentication server sends either an access-accept message or an access-deny message in the authentication server protocol to the network resource in response to the determination. The network resource grants access to the client only after receiving an access-accept message.

Secure user authentication over a communication network

Abstract: The invention relates to a method of performing user authentication in a network system ( 10 ) that comprises a client ( 22 ) in communication via a first network ( 14 ) with a server infrastructure ( 16 ) including an entrance point of a second network and an application server in the second network. The client ( 22 ) has access via a user-controllable card reader ( 24 ) to a smart card ( 26 ). A first authentication key is associated with the smart card ( 26 ) and a second authentication key is associated with the card reader ( 24 ). In a first step user authentication is performed in context with an encryption process between the client ( 22 ) and the server infrastructure ( 16 ) using the first authentication key. A second user authentication step is performed between the client ( 22 ) and the application server using both the first authentication key and the second authentication key. Data authentication (secure signing) can be performed in addition to the user authentication described above.

Recent advances in biometric person authentication

Abstract: Biometrics is an emerging topic in the field of signal processing. While technologies (e.g. audio, video) for biometrics have mostly been studied separately, ultimately, biometric technologies could find their strongest role as interwined and complementary pieces of a multi-modal authentication system. In this paper, a short overview of voice, fingerprint, and face authentication algorithms is provided.

Method and apparatus for providing authentication in a communication system

Abstract: A method includes receiving an authentication request from a mobile station (401) and determining whether to forward the request to an authentication agent. When it is determined to forward the request, the request is forwarded to the authentication agent (107). A random number and a random seed are received from the authentication agent (107). The random number and the random seed are forwarded to the mobile station (401). A response to the random number and the random seed from the mobile station (401) is received and forwarded to the authentication agent (107). The authentication agent (107) compares the response with an expected response. When the authentication agent (107) authenticates the mobile station (401), a derived cipher key is received from the authentication agent (107).

Method and apparatus for single sign-on authentication

Abstract: A method and apparatus for enabling a client to use a single set of credentials to access multiple secure applications at servers. A proxy authentication application at the server intercepts all requests for applications that require authentication, and initiates an authentication procedure with a proxy authentication application installed at the client. User credentials provided by the client authenticator are used by the server authenticator to determine the access credentials that should be forwarded to the server application on behalf of the users. The method allows per-user and per-application authentication decisions to be made at a system level rather than at an application level, even for legacy applications that are designed to require authentication at the application level, without modification to legacy client or server applications.

Security protocol design via authentication tests

Abstract: We describe a protocol design process, and illustrate its use by creating ATSPECT, an authentication test-based secure protocol for electronic commerce transactions. The design process is organized around the authentication tests, a method for protocol verification based on the strand space theory. The authentication tests dictate how randomly generated values such as nonces may be combined with encryption to achieve authentication and freshness. ATSPECT offers functionality and security guarantees akin to the purchase request, payment authorization, and payment capture phases of SET, the secure electronic transaction standard created by the major credit card firms.

Efficient single-chip implementation of SHA-384 and SHA-512

Abstract: The rapid developments in the communications industry over the last decade have led to an escalation in the amount of sensitive data being transmitted over the Internet. This has resulted in an increased awareness of the need to provide security measures. Authentication is one such security measure. A novel highly efficient single-chip hardware design of the SHA-384 and SHA-512 authentication algorithms is described in this paper. The compact implementation achieves a throughput of 479 Mbits/sec utilising a shift register design approach and look-up tables (LUTs). This is believed to be the first SHA-384/SHA-512 hardware implementation to be reported in the literature.

Remote authentication caching on a trusted client or gateway system

Abstract: In a system providing for user access of secure resources upon user authentication by a remote authentication server, a successful user authentication is saved locally for use when the authentication server is not available. The successful user authentication returns an authenticated credential which is stored on the local client utilizing a security method such as Public Key Infrastructure which prevents tampering with the credential. If a gateway machine provides connectivity between the client and the authentication server, the credential is also stored on the gateway.

Fast SHA1 implementation

Abstract: Provided is an architecture (hardware implementation) for an authentication engine to increase the speed at which SHA1 multi-loop and/or multi-round authentication algorithms may be performed on data packets transmitted over a computer network As described in this application, the invention has particular application to the variant of the SHA1 authentication algorithms specified by the IPSec cryptography standard In accordance with the IPSec standard, the invention may be used in conjunction with data encryption/encryption architecture and protocols However it is also suitable for use in conjunction with other non-IPSec cryptography algorithms, and for applications in which encryption/decryption is not conducted (in IPSec or not) and where it is purely authentication that is accelerated Among other advantages, an authentication engine in accordance with the present invention provides improved performance with regard to the processing of short data packets

System, process and article for conducting authenticated transactions

Abstract: A system, process and articles for authentication of a party in transaction using authentication keys embedded in a portable physical medium in the possession of the party plus a password entered by that party that are compared against a data base by an authentication server, wherein said physical medium integrally includes a second medium contain information uniquely associated with said party.

The survey of digital watermarking-based image authentication techniques

Abstract: In recent years, multimedia authentication techniques have been widely used in the integrity and content authentication of digital media Current multimedia authentication schemes can be divided into 2 categories according to the authenticator: digital signature-based and digital watermarking-based In this paper, a comprehensive overview of current tamper detection and authentication methods based on the digital watermarking is presented We discuss authentication watermarking system and its desirable features, common methods of attack and their countermeasures, and survey some popular authentication watermarking schemes, finally give some suggestions for future researches

Methods and apparatus for performing encryption and authentication

Abstract: Methods and apparatus are provided for a cryptography accelerator to efficiently perform authentication and encryption operations. A data sequence is received at a cryptography accelerator. An encrypted authentication code and an encrypted data sequence is provided efficiently upon performing single pass authentication and encryption operations on the data sequence.